US11785026B2 - Information processing device, information processing method and information processing program - Google Patents

Information processing device, information processing method and information processing program Download PDF

Info

Publication number
US11785026B2
US11785026B2 US17/268,279 US201917268279A US11785026B2 US 11785026 B2 US11785026 B2 US 11785026B2 US 201917268279 A US201917268279 A US 201917268279A US 11785026 B2 US11785026 B2 US 11785026B2
Authority
US
United States
Prior art keywords
transmission
transmission source
information
mail
information processing
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active, expires
Application number
US17/268,279
Other versions
US20210320930A1 (en
Inventor
Toshio Dogu
Takuya Matsumoto
Mitsunari SATOH
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Digital Arts Inc
Original Assignee
Digital Arts Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Digital Arts Inc filed Critical Digital Arts Inc
Assigned to DIGITAL ARTS INC. reassignment DIGITAL ARTS INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: DOGU, TOSHIO, MATSUMOTO, TAKUYA, SATOH, Mitsunari
Publication of US20210320930A1 publication Critical patent/US20210320930A1/en
Application granted granted Critical
Publication of US11785026B2 publication Critical patent/US11785026B2/en
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/305Authentication, i.e. establishing the identity or authorisation of security principals by remotely controlling device operation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L51/00User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
    • H04L51/21Monitoring or handling of messages
    • H04L51/212Monitoring or handling of messages using filtering or selective blocking
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/126Applying verification of the received information the source of the received data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1483Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing

Definitions

  • the embodiment of the present invention relates to information processing device, information processing method and information processing program.
  • transmission source domain authentication technologies such as Sender Policy Framework (SPF) authentication, DomainKeys Identified Mail (DKIM), Domain-based Message Authentication, Reporting & Conformance (DMARC) have been widely used.
  • SPF Sender Policy Framework
  • DKIM DomainKeys Identified Mail
  • DMARC Reporting & Conformance
  • combinations of domains of transmission source mail addresses and transmission source IP addresses are registered in advance as appropriate email transmission sources in an authentication server, and upon reception of an email at a mail server, an inquiry about the domain corresponding to the transmission source of the email and the transmission source IP address is made to the authentication server to authenticate whether the email transmission source is appropriate.
  • Patent Literature 1 JP 2012-78922 A
  • An object of the present invention is to provide an information processing device, an information processing method, and an information processing program that allow for swift and extensive collection of appropriate email transmission sources and prevent fraudulent activities such as email spoofing.
  • An information processing device comprises: a data reception unit that accepts transmission information of an email received by each of a plurality of mail servers, the transmission information being extracted from the emails; a transmission information determination unit that determines whether the transmission source of the email is appropriate based on the transmission information; and a whitelist distribution unit that distributes the transmission source determined to be appropriate to each of the plurality of mail servers.
  • An information processing device, an information processing method, and an information processing program that allow for swift and extensive collection of appropriate email transmission sources and prevent fraudulent activities such as email spoofing are provided by an embodiment of the present invention.
  • FIG. 1 is a configuration diagram that illustrates an example of a configuration of an email system to which an information processing device according to a first embodiment is applied.
  • FIG. 2 is an explanatory diagram that illustrates an example of transmission information extracted from emails.
  • FIG. 3 is an explanatory diagram that illustrates an example of results of determination by a transmission information determination unit on whether transmission information extracted from emails indicates an appropriate transmission source.
  • FIG. 4 is an explanatory diagram that illustrates an example of a list of white transmission sources.
  • FIG. 5 is a flowchart that illustrates an example of an information processing method according to the first embodiment.
  • FIG. 6 is a configuration diagram that illustrates an example of a configuration of an email system to which an information processing device according to a second embodiment is applied.
  • FIG. 7 is a flowchart that illustrates an example of an information processing method according to the second embodiment.
  • FIG. 1 is a configuration diagram that illustrates an example of a configuration of an email system to which an information processing device 10 according to a first embodiment is applied.
  • a mail server 12 is a server that receives emails from an external terminal (not shown) via an external mail server and transmits the received emails to an internal terminal 11 .
  • the mail server 12 is provided, for example, at the boundary (demilitarized zone (DMZ)) between an internal network where connection from the Internet is restricted and an external network that can connect to the Internet arbitrarily.
  • DMZ demilitarized zone
  • the internal terminal 11 is a client terminal that receives emails from the mail server 12 .
  • the email system is configured with two mail servers 12 ( 12 a and 12 b ) and internal terminals 11 a and 11 b as respective terminals to receive emails from the mail servers 12 a and 12 b .
  • the email system may be configured with more mail servers 12 and internal terminals 11 , and the numbers and arrangements of the mail servers 12 and the internal terminals 11 are not limited to those illustrated in FIG. 1 .
  • the mail server 12 includes an email analysis unit 18 , a transmission information storage unit 19 , a whitelist database 20 , and a transmission/reception processing unit 22 .
  • the email analysis unit 18 extracts transmission information from an email received from the external terminal via the external mail server, and analyzes the email based on the transmission information.
  • the transmission information is various kinds of information related to mail transmission extracted from an email, which includes transmission source mail address (envelope from), transmission source IP address described in the mail header, transmission time, mail subject, link destination described in mail body, attached file name, attached file name, file extension, and the like.
  • the transmission source IP address may be specified, out of IP address (received from) described in the mail header, from the transmission source IP address of the external mail server preceding the mail server 12 managed in the internal network where connection from the Internet is limited, or may be specified using the IP address of a connection command transmitted from a server preceding the mail server 12 .
  • the email analysis unit 18 analyzes whether the received email is a harmful mail in which the transmission source of the email is disguised by a malicious third party. Specifically, for example, the email analysis unit 18 determines whether the transmission source mail address (envelope from) and the transmission source address in the mail header match each other, and if they do not match, determines that the transmission source is disguised. Otherwise, the disguise of the transmission source may be determined by storing mail text that is assumed to be disguised in advance and collating the body of the email with the mail text.
  • the transmission information storage unit 19 stores the transmission information extracted by the email analysis unit 18 in association with information for identifying each of the internal terminals 11 to receive emails (for example, the IP address and email address of the internal terminal 11 ).
  • the transmission information is transmitted to the information processing device 10 each time it is stored in the transmission information storage unit 19 .
  • the transmission information may be transmitted to the information processing device 10 on a regular basis (for example, every two hours).
  • FIG. 2 is an explanatory diagram that illustrates an example of transmission information extracted from emails.
  • the transmission information stored in the transmission information storage unit 19 include the transmission source mail address, the transmission source IP address, the transmission time, the mail subject, the link destination described in the mail body, and the file name of the attached file.
  • the result of determination executed by the email analysis unit 18 on whether the email is disguised may be added as the transmission information.
  • the whitelist database 20 is a database in which a list of combinations of the domain of transmission source mail address and transmission source IP address, which are appropriate as email transmission sources (there is no risk of disguised mail), is stored in advance.
  • the whitelist database 20 has a distribution data storage unit 21 in which stored are combinations of domains of transmission source mail address and transmission source IP addresses distributed from the information processing device 10 . Note that the details of the domain and the transmission source IP address corresponding to a white transmission source (appropriate as transmission source) distributed from the information processing device 10 and stored in the distribution data storage unit 21 will be described later.
  • the transmission/reception processing unit 22 executes control of transmission of the received email to the internal terminal 11 and the like. Specifically, if the domain of the transmission source mail address of the email and the transmission source IP address match a combination in the transmission source list described in the whitelist database 20 , the transmission/reception processing unit 22 determines the transmission source as appropriate and transmits the email to the internal terminal 11 . On the other hand, if they do not match any combination in the transmission source list described in the whitelist database 20 , the transmission/reception processing unit 22 controls the transmission of the email based on the result of analysis by the email analysis unit 18 on whether the email is a disguised mail.
  • the transmission/reception processing unit 22 quarantines the email inside the mail server 12 without transmitting it to the internal terminal 11 . This avoids the risk that the internal terminal 11 having received the email becomes infected with a virus or the like, thereby ensuring the safety of the terminal.
  • Private domains may be stored separately from the whitelist database 20 .
  • the information processing device 10 accepts transmission information extracted from emails received by a plurality of mail servers 12 , determines whether the transmission sources are appropriate based on the transmission information, and distributes the transmission sources having been determined as appropriate to each of the mail servers 12 .
  • the information processing device 10 acquires transmission information transmitted from the plurality of mail servers 12 .
  • the information processing device 10 may acquire transmission information directly from the plurality of mail servers 12 , or may acquire transmission information via a separate server that collects transmission information.
  • the information processing device 10 may be composed of one device or may be composed of a plurality of devices.
  • the devices constituting the information processing device 10 may be installed in different rooms or different places, and a part of the information processing device 10 and the rest of the information processing device 10 may be located in remote areas.
  • the information processing device 10 includes a data reception unit 13 , a transmission information determination unit 14 , a collation data storage unit 15 , and a whitelist distribution unit 16 .
  • the functions of the units constituting the information processing device 10 may be implemented by executing predetermined program codes with the use of a processor. Instead of such software processing, the functions may be implemented, for example, by hardware processing using ASIC or the like, or by a combination of software processing and hardware processing.
  • the data reception unit 13 accepts, from each of the plurality of mail servers 12 , the transmission information of the emails extracted from the emails received by the mail server 12 .
  • the collation data storage unit 15 is a database in which malicious information harmful to the internal terminals 11 is stored in advance for each of the transmission information of the emails.
  • stored in the collation data storage unit 15 are harmful IP addresses and link destination URLs that guide the internal terminals 11 to download malicious files or connect to websites, and domains of transmission source mail addresses at which mails may have been disguised, IP addresses, subjects, attached file names, and attached file names, file extensions, and the like.
  • the transmission information determination unit 14 determines whether the transmission source of the email is appropriate based on the transmission information of the email.
  • the transmission information determination unit 14 collates the accepted transmission information with the malicious information stored in the collation data storage unit 15 . If the accepted transmission information does not match the malicious information, the transmission information determination unit 14 determines the domain of the transmission source mail address and the transmission source IP address in the transmission information as an appropriate transmission source. On the other hand, if the received transmission information matches the malicious information, the transmission information determination unit 14 does not determine them as an appropriate transmission source.
  • the transmission information determination unit 14 may determine the domain of the transmission source mail address and the transmission source IP address to be appropriate. For example, a reference value (for example, three or more mail servers 12 ) is set for mail servers 12 from which the transmission information is accepted, and if the domain of the transmission source mail address and the transmission source IP address match each other in the transmission information received from the mail servers 12 exceeding the reference value, the transmission information determination unit 14 determines the domain of the transmission source mail address and the transmission source IP address to be appropriate.
  • a reference value for example, three or more mail servers 12
  • the transmission information determination unit 14 may determine the domain of the transmission source mail address and the transmission source IP address to be appropriate if the result of determination on the disguise of the email is positive (the transmission information having the determination result that the email has not been disguised) and the domain of the transmission source mail address and the transmission source IP address match each other in the transmission information accepted from the plurality of mail servers 12 .
  • the transmission information determination unit 14 may determine that the transmission information is suspected of having been extracted from a suspicious email and determine the domain of the transmission source mail address and the transmission source IP address included in the transmission information to be an inappropriate transmission source.
  • the collation data storage unit 15 may store various types of transmission information that are not determined to be an appropriate transmission source by the transmission information determination unit 14 as malicious information.
  • FIG. 3 is an explanatory diagram that illustrates an example of results of determination on whether the transmission sources of emails are appropriate based on the transmission information of the emails.
  • the transmission information determination unit 14 determines whether each of the transmission sources is appropriate by collating the accepted transmission information with the malicious information stored in the collation data storage unit 15 .
  • the transmission information determination unit 14 determines the transmission source corresponding to the transmission information to be inappropriate. On the other hand, if each of the transmission information of the emails of which the transmission source IP address corresponds to “178.60.1.y” does not match malicious information, the transmission information determination unit 14 determines the domain of the transmission source mail address and the transmission source IP address corresponding to the transmission information to be an appropriate transmission source, that is, a white transmission source.
  • a whitelist storage unit 17 has the transmission sources determined to be appropriate stored therein.
  • the whitelist storage unit 17 accumulates the transmission sources determined to be appropriate.
  • the transmission sources stored in the whitelist storage unit 17 may be collated with the malicious information in the collation data storage unit 15 as necessary, and the results of determination on whether the transmission source is appropriate may be updated.
  • the whitelist distribution unit 16 distributes the transmission sources determined to be appropriate by the transmission information determination unit 14 to each of the plurality of mail servers 12 .
  • Each of the mail servers 12 stores the delivered transmission sources (domains of the mail addresses and the transmission source IP addresses) in the distribution data storage unit 21 .
  • the whitelist distribution unit 16 may distribute a transmission source determined to be appropriate to each of the plurality of mail servers 12 at each time of collection, or may distribute all the data of the transmission sources stored in the whitelist storage unit 17 at regular intervals. Otherwise, the information processing device 10 may accept a distribution request from the mail server 12 and distribute all the data of the transmission sources stored in the whitelist storage unit 17 .
  • the whitelist distribution unit 16 may also distribute the malicious information stored in the collation data storage unit 15 together with the transmission sources stored in the whitelist storage unit 17 to each of the mail servers 12 .
  • the email analysis unit 18 of the mail server 12 may perform disguise analysis using the distributed malicious information.
  • FIG. 4 is an explanatory diagram that illustrates an example of a whitelist stored in the whitelist database 20 ( 20 a , 20 b ).
  • Stored in advance in the whitelist database 20 are combinations of the domains of the transmission source mail address and the transmission source IP addresses determined to be appropriate as transmission sources. Every time a combination is distributed from the whitelist distribution unit 16 , it is newly stored as an appropriate transmission source.
  • FIG. 5 is a flowchart that illustrates an example of an information processing method according to the first embodiment (see FIG. 1 as appropriate).
  • the data reception unit 13 accepts, from each of the plurality of mail servers 12 , the transmission information of the emails extracted from the emails received by the mail server 12 (S 10 ).
  • the transmission information determination unit 14 collates the accepted email transmission information with the malicious information stored in the collation data storage unit 15 and determines whether the transmission source of the email is appropriate (S 11 ).
  • the transmission information determination unit 14 determines the domain of the transmission source mail address and the transmission source IP address in the transmission information to be an appropriate transmission source (S 12 : YES). On the other hand, if the accepted transmission information of the email matches the malicious information, the transmission information determination unit 14 does not determine them to be an appropriate transmission source (S 12 : NO).
  • the whitelist distribution unit 16 distributes the transmission sources determined to be appropriate by the transmission information determination unit 14 to each of the plurality of mail servers 12 (S 13 ).
  • the whitelist distribution unit 16 may distribute all the data of the transmission sources stored in the whitelist storage unit 17 at regular intervals.
  • the information processing device 10 can quickly and widely collect appropriate transmission sources of emails.
  • the capability of widely collecting appropriate transmission sources of emails in a short period of time prevents fraudulent acts such as spoofing of emails.
  • the present embodiment by collecting and distributing white transmission sources based on the transmission information of emails actually received by the plurality of mail servers 12 , even if the combinations of domains of transmission source mail addresses and IP addresses change, it is possible to quickly use the latest appropriate transmission sources without the administrator of each mail server having to register in advance the combinations of domains and transmission source IP addresses in a DNS server as in SPF authentication, for example.
  • the white transmission sources by updating the white transmission sources based on the transmission information of the actually received emails, it is possible to follow the change of the domains and the transmission source IP addresses, so that the white transmission source list can be kept in the latest state.
  • a malicious third party cannot register a combination of domain of a mail address and a transmission source IP address as a transmission source, so that it is possible to prevent emails received from the malicious third party from being determined to be an appropriate transmission source on the mail server 12 .
  • FIG. 6 is a diagram that illustrates an example of a configuration of the information processing device 10 according to the second embodiment.
  • parts having the same configuration or function as that of the first embodiment ( FIG. 1 ) are denoted by the same reference numerals, and duplicate description will be omitted.
  • the information processing device 10 receive the domains of the transmission source mail addresses and the transmission source IP addresses registered by the users of the internal terminals 11 or the administrators of the mail servers 12 , and distributes the registered domains of the transmission source mail addresses and the registered transmission source IP addresses as appropriate transmission sources to each of the mail servers 12 .
  • the whitelist database 20 of the mail server 12 further has a registration data storage unit 23 in which stored are combinations of the domains of the transmission source mail addresses and the transmission source IP addresses that are appropriate transmission sources of emails registered by the users of the internal terminals 11 or the administrators of the mail servers 12 .
  • the user of the internal terminal 11 causes a registration screen for registering transmission sources to be displayed on the terminal, and registers a transmission source including a combination of domain of a transmission source mail address and a transmission source IP address.
  • the registered transmission source is stored in the registration data storage unit 23 .
  • the registration screen displayed on the user terminal may be configured to be capable of displaying the registration data of the transmission sources already registered in the registration data storage unit 23 of the whitelist database 20 .
  • the registration data of the transmission sources stored in the registration data storage unit 23 may be compared and collated with the distribution data of the transmission sources distributed from the information processing device 10 and stored in the distribution data storage unit 21 , and the registration data matching the distribution data may be displayed such that the user can recognize the registration data being stored as distribution data (for example, the registration data matching the distribution data is displayed with an identification mark).
  • the data reception unit 13 accepts, from the mail servers 12 , transmission sources registered by the users, which include combinations of domains of transmission source mail addresses and transmission source IP addresses. Note that at the time of transmitting transmission sources to the information processing device 10 , each of the mail servers 12 may add identification information for identifying the mail server 12 to the transmission sources. As a result, the information processing device 10 can identify from which mail server 12 each of the accepted transmission source has been transmitted.
  • the data reception unit 13 may accept a combination of domain of one transmission source mail address and a plurality of transmission source IP addresses associated with each other and registered by the user. For example, as shown in No. 3 of FIG. 4 , the data reception unit 13 accepts one domain in association with transmission source IP addresses specifying a specific address range using Classless Inter-Domain Routing (CIDR).
  • CIDR Classless Inter-Domain Routing
  • the transmission information determination unit 14 determines whether this transmission source is appropriate based on the accepted combination of the domain of the transmission source mail address and the transmission source IP address. Specifically, the transmission information determination unit 14 determines whether this transmission source is appropriate by collating the accepted domain of the transmission source mail address and the accepted transmission source IP address with the malicious information stored in the collation data storage unit 15 .
  • a whitelist storage unit 17 has the transmission sources determined to be appropriate stored therein. Note that the transmission information determination unit 14 may not necessarily determine whether the domain of the transmission source mail address and the transmission source IP address registered by the user (or the administrator) in the mail server 12 and accepted by the data reception unit 13 are appropriate, but the domain of the transmission source mail address and the transmission source IP address accepted by the data reception unit 13 may be stored in the whitelist storage unit 17 .
  • the whitelist distribution unit 16 distributes the transmission source stored in the whitelist storage unit 17 to each of the mail servers 12 including the mail server 12 related to the registration of the transmission source. Note that the whitelist distribution unit 16 may distribute a transmission source to each of the plurality of mail servers 12 each time the transmission source is stored in the whitelist storage unit 17 , or may distribute all the data of the transmission sources stored in the whitelist storage unit 17 at regular intervals. Otherwise, the information processing device 10 may accept a distribution request from the mail server 12 and distribute all the data of the transmission sources stored in the whitelist storage unit 17 .
  • a distribution method in the second embodiment will be specifically described with reference to FIG. 6 .
  • a transmission source including a combination of a domain of a transmission source mail address and a transmission source IP address is registered in a registration data storage unit 23 a in a mail server 12 a .
  • This transmission source is transmitted to the information processing device 10 .
  • the transmission information determination unit 14 of the information processing device 10 determines whether the transmitted domain and transmission source IP address are appropriate.
  • the whitelist distribution unit 16 transmits this transmission source to the mail servers 12 a and 12 b .
  • Each of the mail servers 12 a and 12 b stores the transmitted transmission source in distribution data storage units 21 a and 21 b , respectively.
  • FIG. 7 is a flowchart that illustrates an example of an information processing method according to the second embodiment (see FIG. 6 as appropriate).
  • the data reception unit 13 accepts a transmission source registered by the user, which includes a combination of a domain of a transmission source mail address and a transmission source IP address (S 20 ).
  • the transmission information determination unit 14 determines whether this transmission source is appropriate based on the accepted combination of the domain of the source mail address and the source IP address (S 21 ).
  • the whitelist distribution unit 16 distributes the transmission source (the domain of the mail and the transmission source IP address) determined to be appropriate to each of the mail servers 12 a and 12 b including the mail server 12 related to the registration of the transmission source by the user (S 22 : YES, S 23 ).
  • the whitelist distribution unit 16 may distribute all the data of the transmission sources stored in the whitelist storage unit 17 at regular intervals. On the other hand, if the transmission source is not determined to be appropriate, the whitelist distribution unit 16 does not distribute the transmission source to the mail servers 12 (S 22 : NO).
  • the information processing device 10 distributes transmission sources registered by the users to the mail servers 12 so that white transmission sources can be immediately shared between the plurality of mail servers and a list of widely collected white transmission sources can be made.
  • the information processing device 10 according to the second embodiment may be combined with the configuration of the information processing device 10 in the first embodiment, that is, the configuration of collecting and distributing transmission sources determined to be white based on the transmission information of emails actually received by the plurality of mail servers 12 .
  • the information processing devices of the above-described embodiments it is possible to collect appropriate transmission sources of emails quickly and widely by determining the transmission sources of the emails to be appropriate based on the transmission information extracted from each of the mail servers and distributing the transmission sources to each of the mail servers, and it is possible to prevent fraudulent acts such as email spoofing by grasping the transmission sources more timely and accurately than in SPF authentication.
  • the programs to be executed by the information processing device 10 are provided by being incorporated in advance in a storage circuit such as a ROM. Alternatively, the programs may be provided as a file in an installable or executable format stored on a computer-readable storage medium such as a CD-ROM, CD-R, memory card, DVD, or flexible disk.
  • the programs to be executed by the information processing device 10 may be stored on a computer connected to a network such as the Internet and provided by downloading via the network.

Abstract

An information processing device 10 comprises a data reception unit 13 that accepts transmission information of an email received by each of a plurality of mail servers 12, the transmission information being extracted from the emails; a transmission information determination unit 14 that determines whether the transmission source of the email is appropriate based on the transmission information; and a whitelist distribution unit 16 that distributes the transmission source determined to be appropriate to each of the plurality of mail servers.

Description

CROSS-REFERENCE TO RELATED APPLICATIONS
The present application is the U.S. national phase of PCT Application No. PCT/JP2019/031960 filed on Aug. 14, 2019, which claims the benefit and priority to Japanese Application No. 2018-152773 filed on Aug. 14, 2018, the disclosures of which are incorporated herein by reference in their entireties.
TECHNICAL FIELD
The embodiment of the present invention relates to information processing device, information processing method and information processing program.
BACKGROUND ART
In recent years, there have been increasing targeted email attacks of sending an email from a disguised transmission source mail address to a specific person for the purpose of causing the person to access an attached file or a link destination so that their terminal becomes infected with a virus or the like.
Conventionally, as techniques for handling emails from disguised transmission sources, so called “spoofed” emails, transmission source domain authentication technologies such as Sender Policy Framework (SPF) authentication, DomainKeys Identified Mail (DKIM), Domain-based Message Authentication, Reporting & Conformance (DMARC) have been widely used.
In SPF authentication, combinations of domains of transmission source mail addresses and transmission source IP addresses are registered in advance as appropriate email transmission sources in an authentication server, and upon reception of an email at a mail server, an inquiry about the domain corresponding to the transmission source of the email and the transmission source IP address is made to the authentication server to authenticate whether the email transmission source is appropriate.
CITATION LIST Patent Literature
Patent Literature 1: JP 2012-78922 A
SUMMARY OF INVENTION Problem to be Solved by Invention
In the mail authentication system that requires preliminary registration of combinations of transmission source domains and IP addresses, as in the above-mentioned transmission source domain authentication technology, the registered corporations and organizations are limited, so there is a limit to the scope of the authentication. In addition, if either the transmission source domain or the transmission source IP address is changed due to the replacement of the mail system or the like, a combination of the transmission source domain and the transmission source IP address needs to be registered again for matched authentication. For this reason, in some cases, it is not possible to keep up with changes in the transmission source domain and the transmission source IP address.
Furthermore, with the conventional transmission source domain authentication technology, if a malicious third party themselves registers a combination of a transmission source domain and IP address in the authentication server, an email from the malicious third party will be received with a matched authentication result.
The present invention has been made in consideration of such circumstances. An object of the present invention is to provide an information processing device, an information processing method, and an information processing program that allow for swift and extensive collection of appropriate email transmission sources and prevent fraudulent activities such as email spoofing.
Means for Solving Problem
An information processing device according to an embodiment of the present invention comprises: a data reception unit that accepts transmission information of an email received by each of a plurality of mail servers, the transmission information being extracted from the emails; a transmission information determination unit that determines whether the transmission source of the email is appropriate based on the transmission information; and a whitelist distribution unit that distributes the transmission source determined to be appropriate to each of the plurality of mail servers.
Effect of Invention
An information processing device, an information processing method, and an information processing program that allow for swift and extensive collection of appropriate email transmission sources and prevent fraudulent activities such as email spoofing are provided by an embodiment of the present invention.
BRIEF DESCRIPTION OF DRAWINGS
FIG. 1 is a configuration diagram that illustrates an example of a configuration of an email system to which an information processing device according to a first embodiment is applied.
FIG. 2 is an explanatory diagram that illustrates an example of transmission information extracted from emails.
FIG. 3 is an explanatory diagram that illustrates an example of results of determination by a transmission information determination unit on whether transmission information extracted from emails indicates an appropriate transmission source.
FIG. 4 is an explanatory diagram that illustrates an example of a list of white transmission sources.
FIG. 5 is a flowchart that illustrates an example of an information processing method according to the first embodiment.
FIG. 6 is a configuration diagram that illustrates an example of a configuration of an email system to which an information processing device according to a second embodiment is applied.
FIG. 7 is a flowchart that illustrates an example of an information processing method according to the second embodiment.
 DESCRIPTION OF EMBODIMENTS
Hereinafter, embodiments of the present invention will be described with reference to the accompanying drawings.
FIG. 1 is a configuration diagram that illustrates an example of a configuration of an email system to which an information processing device 10 according to a first embodiment is applied.
A mail server 12 is a server that receives emails from an external terminal (not shown) via an external mail server and transmits the received emails to an internal terminal 11. The mail server 12 is provided, for example, at the boundary (demilitarized zone (DMZ)) between an internal network where connection from the Internet is restricted and an external network that can connect to the Internet arbitrarily.
The internal terminal 11 is a client terminal that receives emails from the mail server 12.
In this example, the email system is configured with two mail servers 12 (12 a and 12 b) and internal terminals 11 a and 11 b as respective terminals to receive emails from the mail servers 12 a and 12 b. Otherwise, the email system may be configured with more mail servers 12 and internal terminals 11, and the numbers and arrangements of the mail servers 12 and the internal terminals 11 are not limited to those illustrated in FIG. 1 .
The mail server 12 includes an email analysis unit 18, a transmission information storage unit 19, a whitelist database 20, and a transmission/reception processing unit 22.
The email analysis unit 18 extracts transmission information from an email received from the external terminal via the external mail server, and analyzes the email based on the transmission information. The transmission information is various kinds of information related to mail transmission extracted from an email, which includes transmission source mail address (envelope from), transmission source IP address described in the mail header, transmission time, mail subject, link destination described in mail body, attached file name, attached file name, file extension, and the like. The transmission source IP address may be specified, out of IP address (received from) described in the mail header, from the transmission source IP address of the external mail server preceding the mail server 12 managed in the internal network where connection from the Internet is limited, or may be specified using the IP address of a connection command transmitted from a server preceding the mail server 12.
Based on the extracted transmission information, the email analysis unit 18 analyzes whether the received email is a harmful mail in which the transmission source of the email is disguised by a malicious third party. Specifically, for example, the email analysis unit 18 determines whether the transmission source mail address (envelope from) and the transmission source address in the mail header match each other, and if they do not match, determines that the transmission source is disguised. Otherwise, the disguise of the transmission source may be determined by storing mail text that is assumed to be disguised in advance and collating the body of the email with the mail text.
The transmission information storage unit 19 stores the transmission information extracted by the email analysis unit 18 in association with information for identifying each of the internal terminals 11 to receive emails (for example, the IP address and email address of the internal terminal 11). The transmission information is transmitted to the information processing device 10 each time it is stored in the transmission information storage unit 19. Alternatively, the transmission information may be transmitted to the information processing device 10 on a regular basis (for example, every two hours).
FIG. 2 is an explanatory diagram that illustrates an example of transmission information extracted from emails.
As illustrated in FIG. 2 , the transmission information stored in the transmission information storage unit 19 include the transmission source mail address, the transmission source IP address, the transmission time, the mail subject, the link destination described in the mail body, and the file name of the attached file. The result of determination executed by the email analysis unit 18 on whether the email is disguised may be added as the transmission information.
The whitelist database 20 is a database in which a list of combinations of the domain of transmission source mail address and transmission source IP address, which are appropriate as email transmission sources (there is no risk of disguised mail), is stored in advance. The whitelist database 20 has a distribution data storage unit 21 in which stored are combinations of domains of transmission source mail address and transmission source IP addresses distributed from the information processing device 10. Note that the details of the domain and the transmission source IP address corresponding to a white transmission source (appropriate as transmission source) distributed from the information processing device 10 and stored in the distribution data storage unit 21 will be described later.
The transmission/reception processing unit 22 executes control of transmission of the received email to the internal terminal 11 and the like. Specifically, if the domain of the transmission source mail address of the email and the transmission source IP address match a combination in the transmission source list described in the whitelist database 20, the transmission/reception processing unit 22 determines the transmission source as appropriate and transmits the email to the internal terminal 11. On the other hand, if they do not match any combination in the transmission source list described in the whitelist database 20, the transmission/reception processing unit 22 controls the transmission of the email based on the result of analysis by the email analysis unit 18 on whether the email is a disguised mail. For example, if determining the email to be disguised, the transmission/reception processing unit 22 quarantines the email inside the mail server 12 without transmitting it to the internal terminal 11. This avoids the risk that the internal terminal 11 having received the email becomes infected with a virus or the like, thereby ensuring the safety of the terminal.
Domains that can be used not only by corporations and organizations but also by individuals, such as free mail domains and domains under the jurisdiction of providers, are likely to be used for targeted mails, and thus it is desirable to exclude such domains from white transmission sources stored in the whitelist database 20. Private domains may be stored separately from the whitelist database 20.
The information processing device 10 according to the first embodiment accepts transmission information extracted from emails received by a plurality of mail servers 12, determines whether the transmission sources are appropriate based on the transmission information, and distributes the transmission sources having been determined as appropriate to each of the mail servers 12.
The information processing device 10 acquires transmission information transmitted from the plurality of mail servers 12. The information processing device 10 may acquire transmission information directly from the plurality of mail servers 12, or may acquire transmission information via a separate server that collects transmission information.
Note that the information processing device 10 may be composed of one device or may be composed of a plurality of devices. When the information processing device 10 is composed of a plurality of devices, the devices constituting the information processing device 10 may be installed in different rooms or different places, and a part of the information processing device 10 and the rest of the information processing device 10 may be located in remote areas.
The information processing device 10 includes a data reception unit 13, a transmission information determination unit 14, a collation data storage unit 15, and a whitelist distribution unit 16.
The functions of the units constituting the information processing device 10 may be implemented by executing predetermined program codes with the use of a processor. Instead of such software processing, the functions may be implemented, for example, by hardware processing using ASIC or the like, or by a combination of software processing and hardware processing.
The data reception unit 13 accepts, from each of the plurality of mail servers 12, the transmission information of the emails extracted from the emails received by the mail server 12.
The collation data storage unit 15 is a database in which malicious information harmful to the internal terminals 11 is stored in advance for each of the transmission information of the emails. For example, stored in the collation data storage unit 15 are harmful IP addresses and link destination URLs that guide the internal terminals 11 to download malicious files or connect to websites, and domains of transmission source mail addresses at which mails may have been disguised, IP addresses, subjects, attached file names, and attached file names, file extensions, and the like.
The transmission information determination unit 14 determines whether the transmission source of the email is appropriate based on the transmission information of the email. The transmission information determination unit 14 collates the accepted transmission information with the malicious information stored in the collation data storage unit 15. If the accepted transmission information does not match the malicious information, the transmission information determination unit 14 determines the domain of the transmission source mail address and the transmission source IP address in the transmission information as an appropriate transmission source. On the other hand, if the received transmission information matches the malicious information, the transmission information determination unit 14 does not determine them as an appropriate transmission source.
In addition, if there is a match among the domain of the transmission source mail address and the transmission source IP address included in the transmission information accepted from the plurality of mail servers 12, the transmission information determination unit 14 may determine the domain of the transmission source mail address and the transmission source IP address to be appropriate. For example, a reference value (for example, three or more mail servers 12) is set for mail servers 12 from which the transmission information is accepted, and if the domain of the transmission source mail address and the transmission source IP address match each other in the transmission information received from the mail servers 12 exceeding the reference value, the transmission information determination unit 14 determines the domain of the transmission source mail address and the transmission source IP address to be appropriate. The transmission information determination unit 14 may determine the domain of the transmission source mail address and the transmission source IP address to be appropriate if the result of determination on the disguise of the email is positive (the transmission information having the determination result that the email has not been disguised) and the domain of the transmission source mail address and the transmission source IP address match each other in the transmission information accepted from the plurality of mail servers 12.
If the attached file name and the extension included in the transmission information accepted from the plurality of mail servers 12 match among the transmission information, the transmission information determination unit 14 may determine that the transmission information is suspected of having been extracted from a suspicious email and determine the domain of the transmission source mail address and the transmission source IP address included in the transmission information to be an inappropriate transmission source.
The collation data storage unit 15 may store various types of transmission information that are not determined to be an appropriate transmission source by the transmission information determination unit 14 as malicious information.
FIG. 3 is an explanatory diagram that illustrates an example of results of determination on whether the transmission sources of emails are appropriate based on the transmission information of the emails. The transmission information determination unit 14 determines whether each of the transmission sources is appropriate by collating the accepted transmission information with the malicious information stored in the collation data storage unit 15.
As illustrated in FIG. 3 , if there exists “http:// . . . /a.html” as a link destination in the transmission information of the email corresponding to the transmission source IP address “178.50.1.x” and this link destination matches malicious information, the transmission information determination unit 14 determines the transmission source corresponding to the transmission information to be inappropriate. On the other hand, if each of the transmission information of the emails of which the transmission source IP address corresponds to “178.60.1.y” does not match malicious information, the transmission information determination unit 14 determines the domain of the transmission source mail address and the transmission source IP address corresponding to the transmission information to be an appropriate transmission source, that is, a white transmission source.
A whitelist storage unit 17 has the transmission sources determined to be appropriate stored therein. The whitelist storage unit 17 accumulates the transmission sources determined to be appropriate. The transmission sources stored in the whitelist storage unit 17 may be collated with the malicious information in the collation data storage unit 15 as necessary, and the results of determination on whether the transmission source is appropriate may be updated.
The whitelist distribution unit 16 distributes the transmission sources determined to be appropriate by the transmission information determination unit 14 to each of the plurality of mail servers 12. Each of the mail servers 12 stores the delivered transmission sources (domains of the mail addresses and the transmission source IP addresses) in the distribution data storage unit 21. The whitelist distribution unit 16 may distribute a transmission source determined to be appropriate to each of the plurality of mail servers 12 at each time of collection, or may distribute all the data of the transmission sources stored in the whitelist storage unit 17 at regular intervals. Otherwise, the information processing device 10 may accept a distribution request from the mail server 12 and distribute all the data of the transmission sources stored in the whitelist storage unit 17.
The whitelist distribution unit 16 may also distribute the malicious information stored in the collation data storage unit 15 together with the transmission sources stored in the whitelist storage unit 17 to each of the mail servers 12. The email analysis unit 18 of the mail server 12 may perform disguise analysis using the distributed malicious information.
FIG. 4 is an explanatory diagram that illustrates an example of a whitelist stored in the whitelist database 20 (20 a, 20 b). Stored in advance in the whitelist database 20 are combinations of the domains of the transmission source mail address and the transmission source IP addresses determined to be appropriate as transmission sources. Every time a combination is distributed from the whitelist distribution unit 16, it is newly stored as an appropriate transmission source.
Subsequently, the operations of the information processing device 10 according to the first embodiment will be described.
FIG. 5 is a flowchart that illustrates an example of an information processing method according to the first embodiment (see FIG. 1 as appropriate).
The data reception unit 13 accepts, from each of the plurality of mail servers 12, the transmission information of the emails extracted from the emails received by the mail server 12 (S10).
The transmission information determination unit 14 collates the accepted email transmission information with the malicious information stored in the collation data storage unit 15 and determines whether the transmission source of the email is appropriate (S11).
Then, if the transmission information of the accepted email does not match the malicious information, the transmission information determination unit 14 determines the domain of the transmission source mail address and the transmission source IP address in the transmission information to be an appropriate transmission source (S12: YES). On the other hand, if the accepted transmission information of the email matches the malicious information, the transmission information determination unit 14 does not determine them to be an appropriate transmission source (S12: NO).
The whitelist distribution unit 16 distributes the transmission sources determined to be appropriate by the transmission information determination unit 14 to each of the plurality of mail servers 12 (S13). The whitelist distribution unit 16 may distribute all the data of the transmission sources stored in the whitelist storage unit 17 at regular intervals.
As described above, the information processing device 10 according to the first embodiment can quickly and widely collect appropriate transmission sources of emails. The capability of widely collecting appropriate transmission sources of emails in a short period of time prevents fraudulent acts such as spoofing of emails.
If the combinations of domains of transmission source mail addresses and IP addresses change due to the replacement of the mail system or the change of domain information, the administrator of each mail server needs to register again the changed combinations of domains and transmission source IP addresses in SPF authentication or the like.
On the other hand, in the present embodiment, by collecting and distributing white transmission sources based on the transmission information of emails actually received by the plurality of mail servers 12, even if the combinations of domains of transmission source mail addresses and IP addresses change, it is possible to quickly use the latest appropriate transmission sources without the administrator of each mail server having to register in advance the combinations of domains and transmission source IP addresses in a DNS server as in SPF authentication, for example. In other words, by updating the white transmission sources based on the transmission information of the actually received emails, it is possible to follow the change of the domains and the transmission source IP addresses, so that the white transmission source list can be kept in the latest state. In addition, unlike in SPF authentication, a malicious third party cannot register a combination of domain of a mail address and a transmission source IP address as a transmission source, so that it is possible to prevent emails received from the malicious third party from being determined to be an appropriate transmission source on the mail server 12.
Second Embodiment
FIG. 6 is a diagram that illustrates an example of a configuration of the information processing device 10 according to the second embodiment. In FIG. 6 , parts having the same configuration or function as that of the first embodiment (FIG. 1 ) are denoted by the same reference numerals, and duplicate description will be omitted.
In the information processing device 10 according to the second embodiment, the information processing device 10 receive the domains of the transmission source mail addresses and the transmission source IP addresses registered by the users of the internal terminals 11 or the administrators of the mail servers 12, and distributes the registered domains of the transmission source mail addresses and the registered transmission source IP addresses as appropriate transmission sources to each of the mail servers 12.
A specific configuration will be described.
The whitelist database 20 of the mail server 12 further has a registration data storage unit 23 in which stored are combinations of the domains of the transmission source mail addresses and the transmission source IP addresses that are appropriate transmission sources of emails registered by the users of the internal terminals 11 or the administrators of the mail servers 12.
Note that the user of the internal terminal 11 (or the administrator of the mail server 12) causes a registration screen for registering transmission sources to be displayed on the terminal, and registers a transmission source including a combination of domain of a transmission source mail address and a transmission source IP address. The registered transmission source is stored in the registration data storage unit 23.
The registration screen displayed on the user terminal may be configured to be capable of displaying the registration data of the transmission sources already registered in the registration data storage unit 23 of the whitelist database 20. At this time, the registration data of the transmission sources stored in the registration data storage unit 23 may be compared and collated with the distribution data of the transmission sources distributed from the information processing device 10 and stored in the distribution data storage unit 21, and the registration data matching the distribution data may be displayed such that the user can recognize the registration data being stored as distribution data (for example, the registration data matching the distribution data is displayed with an identification mark).
The data reception unit 13 accepts, from the mail servers 12, transmission sources registered by the users, which include combinations of domains of transmission source mail addresses and transmission source IP addresses. Note that at the time of transmitting transmission sources to the information processing device 10, each of the mail servers 12 may add identification information for identifying the mail server 12 to the transmission sources. As a result, the information processing device 10 can identify from which mail server 12 each of the accepted transmission source has been transmitted.
The data reception unit 13 may accept a combination of domain of one transmission source mail address and a plurality of transmission source IP addresses associated with each other and registered by the user. For example, as shown in No. 3 of FIG. 4 , the data reception unit 13 accepts one domain in association with transmission source IP addresses specifying a specific address range using Classless Inter-Domain Routing (CIDR).
The transmission information determination unit 14 determines whether this transmission source is appropriate based on the accepted combination of the domain of the transmission source mail address and the transmission source IP address. Specifically, the transmission information determination unit 14 determines whether this transmission source is appropriate by collating the accepted domain of the transmission source mail address and the accepted transmission source IP address with the malicious information stored in the collation data storage unit 15.
A whitelist storage unit 17 has the transmission sources determined to be appropriate stored therein. Note that the transmission information determination unit 14 may not necessarily determine whether the domain of the transmission source mail address and the transmission source IP address registered by the user (or the administrator) in the mail server 12 and accepted by the data reception unit 13 are appropriate, but the domain of the transmission source mail address and the transmission source IP address accepted by the data reception unit 13 may be stored in the whitelist storage unit 17.
The whitelist distribution unit 16 distributes the transmission source stored in the whitelist storage unit 17 to each of the mail servers 12 including the mail server 12 related to the registration of the transmission source. Note that the whitelist distribution unit 16 may distribute a transmission source to each of the plurality of mail servers 12 each time the transmission source is stored in the whitelist storage unit 17, or may distribute all the data of the transmission sources stored in the whitelist storage unit 17 at regular intervals. Otherwise, the information processing device 10 may accept a distribution request from the mail server 12 and distribute all the data of the transmission sources stored in the whitelist storage unit 17.
A distribution method in the second embodiment will be specifically described with reference to FIG. 6 . When a transmission source including a combination of a domain of a transmission source mail address and a transmission source IP address is registered in a registration data storage unit 23 a in a mail server 12 a, this transmission source is transmitted to the information processing device 10. The transmission information determination unit 14 of the information processing device 10 determines whether the transmitted domain and transmission source IP address are appropriate. When it is determined that the transmission source is appropriate, the whitelist distribution unit 16 transmits this transmission source to the mail servers 12 a and 12 b. Each of the mail servers 12 a and 12 b stores the transmitted transmission source in distribution data storage units 21 a and 21 b, respectively.
Subsequently, the operations of the information processing device 10 according to the second embodiment will be described.
FIG. 7 is a flowchart that illustrates an example of an information processing method according to the second embodiment (see FIG. 6 as appropriate).
The data reception unit 13 accepts a transmission source registered by the user, which includes a combination of a domain of a transmission source mail address and a transmission source IP address (S20).
The transmission information determination unit 14 determines whether this transmission source is appropriate based on the accepted combination of the domain of the source mail address and the source IP address (S21).
The whitelist distribution unit 16 distributes the transmission source (the domain of the mail and the transmission source IP address) determined to be appropriate to each of the mail servers 12 a and 12 b including the mail server 12 related to the registration of the transmission source by the user (S22: YES, S23). The whitelist distribution unit 16 may distribute all the data of the transmission sources stored in the whitelist storage unit 17 at regular intervals. On the other hand, if the transmission source is not determined to be appropriate, the whitelist distribution unit 16 does not distribute the transmission source to the mail servers 12 (S22: NO).
The information processing device 10 according to the second embodiment distributes transmission sources registered by the users to the mail servers 12 so that white transmission sources can be immediately shared between the plurality of mail servers and a list of widely collected white transmission sources can be made.
Note that the information processing device 10 according to the second embodiment may be combined with the configuration of the information processing device 10 in the first embodiment, that is, the configuration of collecting and distributing transmission sources determined to be white based on the transmission information of emails actually received by the plurality of mail servers 12.
According to the information processing devices of the above-described embodiments, it is possible to collect appropriate transmission sources of emails quickly and widely by determining the transmission sources of the emails to be appropriate based on the transmission information extracted from each of the mail servers and distributing the transmission sources to each of the mail servers, and it is possible to prevent fraudulent acts such as email spoofing by grasping the transmission sources more timely and accurately than in SPF authentication.
The programs to be executed by the information processing device 10 are provided by being incorporated in advance in a storage circuit such as a ROM. Alternatively, the programs may be provided as a file in an installable or executable format stored on a computer-readable storage medium such as a CD-ROM, CD-R, memory card, DVD, or flexible disk. The programs to be executed by the information processing device 10 may be stored on a computer connected to a network such as the Internet and provided by downloading via the network.
Although some embodiments of the present invention have been described, these embodiments are presented as examples and are not intended to limit the scope of the invention. These novel embodiments can be implemented in various other modes, and various omissions, replacements, and changes can be made without departing from the gist of the invention. These embodiments and modifications thereof are included in the scope of the invention and the gist thereof as well as the invention described in the claims and the equivalent scope thereof.
REFERENCE SIGNS LIST
  • 10 Information processing device
  • 11 Internal terminal
  • 12 Mail server
  • 13 Data reception unit
  • 14 Transmission information determination unit
  • 15 Collation data storage unit
  • 16 Whitelist distribution unit
  • 17 Whitelist storage unit
  • 18 Email analysis unit
  • 19 Transmission information storage unit
  • 20 Whitelist database
  • 21 Distribution data storage unit
  • 22 Transmission/reception processing unit
  • 23 Registration data storage unit

Claims (8)

The invention claimed is:
1. An information processing device comprising a processor: the processor being configured to:
accept transmission information of an email received by each of a plurality of mail servers, the transmission information being extracted from the email;
determine whether a transmission source of the email is appropriate based on the transmission information, wherein the transmission source includes a combination of a domain of a transmission source mail address and a transmission source IP address; and
distribute the transmission source determined to be appropriate to each of the plurality of mail servers.
2. The information processing device according to claim 1, wherein
the transmission information includes various kinds of information related to transmission in the received email,
the information processing device comprises a collation data storage unit that stores harmful malicious information in advance for each of the transmission information, and
the processor is configured to collate the accepted transmission information with the malicious information to determine whether the transmission source of the email is appropriate.
3. The information processing device according to claim 1, wherein,
if there is a match in the transmission source included in the transmission information among a plurality of the transmission information accepted from the plurality of mail servers, the processor is configured to determine the transmission source to be appropriate.
4. The information processing device according to claim 2, comprising a whitelist storage unit in which the transmission source determined to be appropriate is stored, wherein
the processor is configured to collate the stored transmission source with the malicious information, and to update a result of determination on whether the transmission source is appropriate.
5. The information processing device according to claim 1, wherein
the processor is configured to accept the transmission source including the combination of the domain of the transmission source mail address and the transmission source IP address registered by a user, and distribute the transmission source to each of the mail servers.
6. An information processing device comprising a processor: the processor being configured to:
accept a transmission source including a combination of a domain of a transmission source mail address and a transmission source IP address registered by a user in each of a plurality of mail servers;
determine whether the accepted transmission source including the combination of the domain of the transmission source mail address and the transmission source IP address are appropriate; and
distribute the transmission source determined to be appropriate to each of the mail servers.
7. The information processing device according to claim 6, wherein
the processor is configured to accept the transmission source including a combination of one domain of mail and a plurality of transmission source IP addresses registered by the user.
8. An information processing method comprising:
a step of accepting transmission information of an email received by each of a plurality of mail servers, the transmission information being extracted from the email;
a step of determining whether a domain of a transmission source and a transmission source IP address of the email is appropriate based on the transmission information; and
a step of distributing the domain of the transmission source and the transmission source IP address determined to be appropriate to each of the plurality of mail servers.
US17/268,279 2018-08-14 2019-08-14 Information processing device, information processing method and information processing program Active 2040-02-17 US11785026B2 (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
JP2018152773A JP6669954B2 (en) 2018-08-14 2018-08-14 Information processing apparatus, information processing method, and information processing program
JP2018-152773 2018-08-14
PCT/JP2019/031960 WO2020036201A1 (en) 2018-08-14 2019-08-14 Information processsing device, information processing method, and information processing program

Publications (2)

Publication Number Publication Date
US20210320930A1 US20210320930A1 (en) 2021-10-14
US11785026B2 true US11785026B2 (en) 2023-10-10

Family

ID=69525436

Family Applications (1)

Application Number Title Priority Date Filing Date
US17/268,279 Active 2040-02-17 US11785026B2 (en) 2018-08-14 2019-08-14 Information processing device, information processing method and information processing program

Country Status (6)

Country Link
US (1) US11785026B2 (en)
EP (1) EP3839752A4 (en)
JP (1) JP6669954B2 (en)
CN (1) CN112534417A (en)
SG (1) SG11202101380UA (en)
WO (1) WO2020036201A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11363060B2 (en) * 2019-10-24 2022-06-14 Microsoft Technology Licensing, Llc Email security in a multi-tenant email service
JP7121779B2 (en) * 2020-08-27 2022-08-18 デジタルアーツ株式会社 Information processing device, information processing method, and information processing program

Citations (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050015455A1 (en) 2003-07-18 2005-01-20 Liu Gary G. SPAM processing system and methods including shared information among plural SPAM filters
EP1093691B1 (en) 1998-01-13 2005-03-02 Bright Mail Inc. Method and system for filtering unsolicited electronic mail messages using data matching and heuristic processing
US20060168028A1 (en) * 2004-12-16 2006-07-27 Guy Duxbury System and method for confirming that the origin of an electronic mail message is valid
US20090307320A1 (en) 2008-06-10 2009-12-10 Tal Golan Electronic mail processing unit including silverlist filtering
US7873996B1 (en) * 2003-11-22 2011-01-18 Radix Holdings, Llc Messaging enhancements and anti-spam
JP2012078922A (en) 2010-09-30 2012-04-19 Nifty Corp Web mail server, mail client program and mail server
US8392357B1 (en) 2008-10-31 2013-03-05 Trend Micro, Inc. Trust network to reduce e-mail spam
US20140373145A1 (en) * 2013-06-14 2014-12-18 Brad Wardman Signed response to an abusive email account owner and provider systems and methods
US20170019354A1 (en) * 2015-07-16 2017-01-19 Nec Corporation E-mail relay device, e-mail relay method, and non-transitory storage medium
US10050998B1 (en) * 2015-12-30 2018-08-14 Fireeye, Inc. Malicious message analysis system
US20180375886A1 (en) * 2017-06-22 2018-12-27 Oracle International Corporation Techniques for monitoring privileged users and detecting anomalous activities in a computing environment
US20190068627A1 (en) * 2017-08-28 2019-02-28 Oracle International Corporation Cloud based security monitoring using unsupervised pattern recognition and deep learning
US20190104154A1 (en) * 2017-10-01 2019-04-04 Fireeye, Inc. Phishing attack detection
US20190141057A1 (en) * 2017-11-06 2019-05-09 Paypal, Inc. Automated detection of phishing campaigns via social media
US20190370152A1 (en) * 2018-05-30 2019-12-05 Microsoft Technology Licensing, Llc Automatic intelligent cloud service testing tool

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2005217750A (en) * 2004-01-29 2005-08-11 Telepark Corp Electronic mail system and distribution method of electronic mail
KR20080093084A (en) * 2008-08-22 2008-10-20 주식회사 누리비젼 System for blocking spam mail
JP5721535B2 (en) * 2011-05-20 2015-05-20 Kddi株式会社 E-mail classification device, e-mail classification method, and e-mail classification program
CN103761478B (en) * 2014-01-07 2016-11-23 北京奇虎科技有限公司 The determination methods of malicious file and equipment
JP6266487B2 (en) * 2014-09-30 2018-01-24 Kddi株式会社 Mail information extraction device, mail judgment list creation device, mail information extraction method, mail judgment list creation method, and computer program
CN107231241A (en) * 2016-03-24 2017-10-03 中国移动通信有限公司研究院 Information processing method, gateway and verification platform

Patent Citations (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1093691B1 (en) 1998-01-13 2005-03-02 Bright Mail Inc. Method and system for filtering unsolicited electronic mail messages using data matching and heuristic processing
US20050015455A1 (en) 2003-07-18 2005-01-20 Liu Gary G. SPAM processing system and methods including shared information among plural SPAM filters
US7873996B1 (en) * 2003-11-22 2011-01-18 Radix Holdings, Llc Messaging enhancements and anti-spam
US20060168028A1 (en) * 2004-12-16 2006-07-27 Guy Duxbury System and method for confirming that the origin of an electronic mail message is valid
US20090307320A1 (en) 2008-06-10 2009-12-10 Tal Golan Electronic mail processing unit including silverlist filtering
US8392357B1 (en) 2008-10-31 2013-03-05 Trend Micro, Inc. Trust network to reduce e-mail spam
JP2012078922A (en) 2010-09-30 2012-04-19 Nifty Corp Web mail server, mail client program and mail server
US20140373145A1 (en) * 2013-06-14 2014-12-18 Brad Wardman Signed response to an abusive email account owner and provider systems and methods
US20170019354A1 (en) * 2015-07-16 2017-01-19 Nec Corporation E-mail relay device, e-mail relay method, and non-transitory storage medium
JP2017028368A (en) 2015-07-16 2017-02-02 日本電気株式会社 Email relay device, email relay method, and program
US10050998B1 (en) * 2015-12-30 2018-08-14 Fireeye, Inc. Malicious message analysis system
US20180375886A1 (en) * 2017-06-22 2018-12-27 Oracle International Corporation Techniques for monitoring privileged users and detecting anomalous activities in a computing environment
US20190068627A1 (en) * 2017-08-28 2019-02-28 Oracle International Corporation Cloud based security monitoring using unsupervised pattern recognition and deep learning
US20190104154A1 (en) * 2017-10-01 2019-04-04 Fireeye, Inc. Phishing attack detection
US20190141057A1 (en) * 2017-11-06 2019-05-09 Paypal, Inc. Automated detection of phishing campaigns via social media
US20190370152A1 (en) * 2018-05-30 2019-12-05 Microsoft Technology Licensing, Llc Automatic intelligent cloud service testing tool

Non-Patent Citations (5)

* Cited by examiner, † Cited by third party
Title
Digital Arts, "i-Filter m-Filter", Forefront of Software, PC—Webzine, Aug. 25, 2017, vol. 307, pp. 42-43, with machine English translation.
International Preliminary Report on Patentability from PCT/JP2019/031960, dated Feb. 16, 2021, with English translation from WIPO.
International Search Report from PCT/JP2019/031960, dated Oct. 21, 2019, with English translation from WIPO.
Supplementary European Search Report for European Patent Application 19850702.2 dated Mar. 21, 2022.
Written Opinion of the International Searching Authority from PCT/JP2019/031960, dated Oct. 21, 2019, with English translation from WIPO.

Also Published As

Publication number Publication date
WO2020036201A1 (en) 2020-02-20
CN112534417A (en) 2021-03-19
EP3839752A4 (en) 2022-04-20
SG11202101380UA (en) 2021-03-30
US20210320930A1 (en) 2021-10-14
JP6669954B2 (en) 2020-03-18
JP2020027510A (en) 2020-02-20
EP3839752A1 (en) 2021-06-23

Similar Documents

Publication Publication Date Title
US11399010B1 (en) Private network request forwarding
US11770353B2 (en) System and method for securely performing multiple stage email processing with embedded codes
US9635042B2 (en) Risk ranking referential links in electronic messages
US20220174086A1 (en) Message authenticity and risk assessment
Kucherawy et al. Domain-based message authentication, reporting, and conformance (DMARC)
US9660998B1 (en) Secure proxy
US8621604B2 (en) Evaluating a questionable network communication
US9015090B2 (en) Evaluating a questionable network communication
EP1877904B1 (en) Detecting unwanted electronic mail messages based on probabilistic analysis of referenced resources
US8108477B2 (en) Message classification using legitimate contact points
EP2709046A1 (en) Real-time classification of email message traffic
US20230274018A1 (en) System and method for implementing data sovereignty safeguards in a distributed services network architecture
US8726385B2 (en) Distributed system and method for tracking and blocking malicious internet hosts
JP2016532381A (en) Evaluation of suspicious network communication
US20120216040A1 (en) System for Email Message Authentication, Classification, Encryption and Message Authenticity
US20110265169A1 (en) User-dependent content delivery
US11785026B2 (en) Information processing device, information processing method and information processing program
CN109714447A (en) Domain name generation method and system based on block chain domain name system
JP2017028368A (en) Email relay device, email relay method, and program
JP4693174B2 (en) Intermediate node
Kucherawy et al. RFC 7489: Domain-based message authentication, reporting, and conformance (DMARC)
US11722445B2 (en) Multi-computer system for detecting and controlling malicious email
JP2020086547A (en) Information processing device, information processing method, and information processing program
US20170063784A1 (en) Information management apparatus, communication management system, information communication apparatus, information management method, and storing medium storing information management program
US11916873B1 (en) Computerized system for inserting management information into electronic communication systems

Legal Events

Date Code Title Description
FEPP Fee payment procedure

Free format text: ENTITY STATUS SET TO UNDISCOUNTED (ORIGINAL EVENT CODE: BIG.); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY

FEPP Fee payment procedure

Free format text: ENTITY STATUS SET TO SMALL (ORIGINAL EVENT CODE: SMAL); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY

AS Assignment

Owner name: DIGITAL ARTS INC., JAPAN

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:DOGU, TOSHIO;MATSUMOTO, TAKUYA;SATOH, MITSUNARI;SIGNING DATES FROM 20210316 TO 20210326;REEL/FRAME:056149/0518

STPP Information on status: patent application and granting procedure in general

Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION

STPP Information on status: patent application and granting procedure in general

Free format text: NON FINAL ACTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: NOTICE OF ALLOWANCE MAILED -- APPLICATION RECEIVED IN OFFICE OF PUBLICATIONS

STPP Information on status: patent application and granting procedure in general

Free format text: PUBLICATIONS -- ISSUE FEE PAYMENT VERIFIED

STCF Information on status: patent grant

Free format text: PATENTED CASE